icmp: Correct off by one errors dealing with number of echo request ids

ICMP echo request and reply packets include a 16-bit 'id' value. We have some arrays indexed by this id value. Unfortunately we size those arrays with USHRT_MAX (65535) when they need to be sized by the total number of id values (65536). This could lead to buffer overruns. Resize the arrays correctly, using a new define for the purpose. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2024-07-01 23:42:41 +00:00 · 2022-09-24 19:08:23 +10:00 · 2022-09-24 19:08:23 +10:00 · 8978f6552b
commit 8978f6552b
parent d5b80ccc72
1 changed files with 3 additions and 2 deletions
--- a/icmp.c
+++ b/icmp.c
@ -39,6 +39,7 @@
 #include "icmp.h"

 #define ICMP_ECHO_TIMEOUT	60 /* s, timeout for ICMP socket activity */
+#define ICMP_NUM_IDS		(1U << 16)

 /**
 * struct icmp_id_sock - Tracking information for single ICMP echo identifier
@ -53,10 +54,10 @@ struct icmp_id_sock {
 };

 /* Indexed by ICMP echo identifier */
-static struct icmp_id_sock icmp_id_map	[IP_VERSIONS][USHRT_MAX];
+static struct icmp_id_sock icmp_id_map[IP_VERSIONS][ICMP_NUM_IDS];

 /* Bitmaps, activity monitoring needed for identifier */
-static uint8_t icmp_act			[IP_VERSIONS][USHRT_MAX / 8];
+static uint8_t icmp_act[IP_VERSIONS][DIV_ROUND_UP(ICMP_NUM_IDS, 8)];

 /**
 * icmp_sock_handler() - Handle new data from socket